[send it to the list this time] The group of ACCEPTs allows packets to ports 5900-5907 from localhost to localhost because this is the INPUT chain. The group of REJECTs blocks packets to ports 5900-5907, smtp, http, imap2 and imaps from anywhere to localhost). He didn't say how he is accessing his proxy. Which port? HTTP or HTTPS? Do his proxies have public addresses? Is there a NAT firewall between his two servers and the internet? If so, does that firewall allow traffic to server2? If these are all the rules, I don't see any netfilter-related reason why server1 does not work while server does work. N On Sun, 11 Feb 2018 21:03:04 +0000 André Paulsberg-Csibi (IBM Consultant) <Andre.Paulsberg-Csibi@xxxxxxxx> wrote: > Hi , > > Even if you have not explained how this is setup , it seems very unlikely the issue with server1 could be the iptables FW ... > ... I can only GUESS here since there is not enough data to be 100% sure . > However there are not really any relevant difference in the rules for server1 and server2 , and the ruleset is not setup in what I would call best practice . > In essence both rules allow for everything , except SMTP , HTTP , IMAP2 and IMAPS > Unless your SQUID PROXY setup is using one of the 4 ports associated with the 4 services ( and normally it would not ) it should not be blocked . > > REJECT tcp -- anywhere anywhere tcp dpt:smtp reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp dpt:imap2 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp dpt:imaps reject-with icmp-port-unreachable > > From what I can understand all other rules are not needed / since they are covered by a DEFAULT ACCEPT in this "SETUP" > > You can normally verify this if you use the syntax > > "sudo iptables -nvL" > This will show you hit counters statistics > If you then try from outside "telnet server1 3128" ( you may need to change the port 3128 with whatever port your squid setup uses , but 3128 is normally the default ) > > Then when you another "sudo iptables -nvL" right after and none of the counters have increase for any DROP / REJECT rule > > > > Best regards > André Paulsberg-Csibi > Senior Network Engineer > IBM Services AS > > -----Opprinnelig melding----- > Fra: netfilter-owner@xxxxxxxxxxxxxxx [mailto:netfilter-owner@xxxxxxxxxxxxxxx] På vegne av Peng Yu > Sendt: lørdag 10. februar 2018 06.28 > Til: netfilter@xxxxxxxxxxxxxxx > Emne: How to check why HTTP proxy is not accessible from outside? > > Hi, > > I have squid HTTP proxy running on both of the following servers > (server 1 and 2). But the proxy service on server1 can not be accessed > from outside. > > I am not familiar with the output of iptables. Could the difference > explain why proxy on server1 is not accessible? Thanks. > > server1:~$ sudo iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > REJECT tcp -- anywhere anywhere tcp > dpt:smtp reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:http reject-with icmp-port-unreachable > ACCEPT tcp -- localhost anywhere tcp dpt:5900 > ACCEPT tcp -- localhost anywhere tcp dpt:5901 > ACCEPT tcp -- localhost anywhere tcp dpt:5902 > ACCEPT tcp -- localhost anywhere tcp dpt:5903 > ACCEPT tcp -- localhost anywhere tcp dpt:5904 > ACCEPT tcp -- localhost anywhere tcp dpt:5905 > ACCEPT tcp -- localhost anywhere tcp dpt:5906 > ACCEPT tcp -- localhost anywhere tcp dpt:5907 > REJECT tcp -- anywhere anywhere tcp > dpt:5900 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5901 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5902 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5903 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5904 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5905 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5906 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5907 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:imap2 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:imaps reject-with icmp-port-unreachable > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > server2:~$ sudo iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT tcp -- localhost anywhere tcp dpt:5900 > ACCEPT tcp -- localhost anywhere tcp dpt:5901 > ACCEPT tcp -- localhost anywhere tcp dpt:5902 > ACCEPT tcp -- localhost anywhere tcp dpt:5903 > ACCEPT tcp -- localhost anywhere tcp dpt:5904 > ACCEPT tcp -- localhost anywhere tcp dpt:5905 > ACCEPT tcp -- localhost anywhere tcp dpt:5906 > ACCEPT tcp -- localhost anywhere tcp dpt:5907 > REJECT tcp -- anywhere anywhere tcp > dpt:5900 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5901 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5902 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5903 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5904 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5905 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5906 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:5907 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:smtp reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:http reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:imap2 reject-with icmp-port-unreachable > REJECT tcp -- anywhere anywhere tcp > dpt:imaps reject-with icmp-port-unreachable > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
